Intel Discloses 16 BIOS Firmware Vulnerabilities, What You Need To Know
When folks talk about major security flaws like the Log4shell exploit in Log4j, or the Eternal Silence UPnP exploit, everyone tends to panic until they're resolved. That's because those bugs are remotely exploitable, meaning that they can be used to attack a system over the internet without placing the attacker in danger, whether that of arrested or even simply being discovered. If you're on the internet, you could be vulnerable.
Intel just revealed a list of 16 new vulnerabilities in the firmware for its processors, and while most of these are quite severe (with the worst being rated at 8.2 severity), you probably won't see folks panicking and working overnight to get these problems patched. The reason is because all of these vulnerabilities require physical access to the target machine. That means you have to be physically near the system you want to attack.
Does that make these flaws harmless? Not at all. Even ignoring the remote possibility of some Metal Gear Solid-style infiltration into a data center, many firms have, for example, business laptops with company secrets on them. An attacker could use one of these flaws to gain administrative access to the machine without the proper credentials, laying bare the contents of the system for bad actors to misuse.
There's surprisingly little information available about the specific nature of the flaws, but based on the CVEs we know that these bugs aren't related to the slew of security faults found in the InsydeH2O UEFI firmware earlier this month that affects millions of devices. These flaws also aren't part of Intel's 2021 Product Security Report, naturally.
The list of affected products includes Intel Core-family processors from the 6th- through 12th-generation as well as associated products using the same architectures, like the Core X-series and quite a few Xeon chips. Curiously, the Denverton Atom series (C3xxx family) is also afflicted with these flaws.
None of the 16 security holes are patched yet, but Intel says it has firmware updates on the way to address all of these problems. Given the privileged credentials and physical access required, most users probably shouldn't be too concerned. We might recommend keeping a tight leash on any Intel-based company laptops just in case, though.